Plataforma
nodejs
Componente
openclaw
Corrigido em
2026.2.23
2026.2.23
CVE-2026-32040 describes a cross-site scripting (XSS) vulnerability within the HTML session exporter component of OpenClaw. This flaw arises from the improper handling of img.mimeType values when constructing HTML <img> tags, allowing attackers to inject malicious JavaScript. Affected versions are those prior to 2026.2.23; upgrading to this version resolves the issue.
An attacker can exploit this vulnerability by crafting tool results or manipulating session data to include images with malicious mimeType values. These values, when interpolated into the HTML src attribute without proper escaping, can break out of the attribute context and execute arbitrary JavaScript code in the user's browser. This could lead to session hijacking, data theft, or defacement of the OpenClaw interface. The successful exploitation requires the attacker to control image content blocks within the session data, making it a slightly more constrained attack vector than generic XSS.
This vulnerability was publicly disclosed on 2026-03-03. There is currently no indication of active exploitation campaigns targeting CVE-2026-32040. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals using OpenClaw for session recording and analysis, particularly those who allow users to upload or provide data that is subsequently included in session exports, are at risk. Environments where session data is processed and exported without proper validation are especially vulnerable.
• nodejs: Monitor OpenClaw logs for unusual activity related to image processing or session export. Use npm audit to check for known vulnerabilities in OpenClaw dependencies.
• generic web: Examine exported HTML files for suspicious <img> tags with unusual src attributes. Use curl to inspect the exported HTML endpoint for potential injection points: curl 'http://your-openclaw-instance/export-html' | grep '<img src="data:'
disclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-32040 is to upgrade OpenClaw to version 2026.2.23 or later, which includes the necessary fixes to properly sanitize img.mimeType values. If upgrading is not immediately feasible, consider implementing input validation on the server-side to restrict allowed mimeType values to a whitelist of safe types. While not a complete solution, this can reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this specific vulnerability, so focus on the upgrade and input validation.
Actualice OpenClaw a la versión 2026.2.23 o posterior. Esta versión corrige la vulnerabilidad de inyección HTML al validar correctamente los tipos MIME de las imágenes en los bloques de contenido.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-32040 is a cross-site scripting (XSS) vulnerability in OpenClaw's HTML session exporter. It allows attackers to inject JavaScript code when exporting HTML sessions if image mimeType values are not properly validated.
You are affected if you are using OpenClaw versions prior to 2026.2.23 and allow users to upload or provide data that is included in session exports.
Upgrade OpenClaw to version 2026.2.23 or later. As a temporary workaround, implement server-side input validation to restrict allowed mimeType values.
There is currently no indication of active exploitation campaigns targeting CVE-2026-32040.
Refer to the OpenClaw project's official website or GitHub repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.